Certification Service Provider of the Ministry of Employment and Social Securityp. Profile for Electronic seal certificate

Transcription

1 SUBSECRETARÍA S.G. DE TECNOLOGÍAS DE LA INFORMACIÓN Y COMUNICACIONES Certification Service Provider of the Ministry of Employment and Social Securityp Profile for Electronic seal certificate sgtic@meyss.es C/ AGUSTÍN DE BETHENCOURT, MADRID TEL: FAX:

2 Identifier Title Responsible Version 1.4 Date Version control D303 Certification Service Provider of the Ministry of Employment and Social Security. Profile for Electronic seal certificate SG de Tecnologías de la Información y las Comunicaciones Ministerio de Empleo y Seguridad Social Version history Version Date Comments Final document ISO/IANA number changes of the MPR and in the oid of the Electronic seal certficate issued by CSPM Heading Change, suppression of DG de Servicios Suppression of the posibility of certificate request using valid certificates Changed SGPD to SGTIC Certificate description change (ELECTRONIC SEAL FOR AUTOMATED PROCESSING to ELECTRONIC SEAL) and OID change ( ) Organization Structure actualization and new format ii

3 Contents 1 Introduction Presentation Description... Error! Marcador no definido. 1.3 Document name and identification Document identification Identification of certificate types End users... Error! Marcador no definido. 1.5 Certificate usage Definitions and acronyms Definitions Acronyms... Error! Marcador no definido. 2 Identification Management of names Names types Administrative Identity and Normalization Operational requirements Certificate application Certificate issuance Certificate renewal Certificate revocation Profile for Electronic Seal certificate... 7 Annex A: References Annex B: Links (URL) iii

4 1 Introduction 1.1 Presentation This document contains the profile of the Electronic Seal Certificate issued by the Certification Service Provider of the Ministry of Employment and Social Security (CSPM). This document clarifies and supplements the CSPM Certification Practice Statement (CPSM) regarding Electronic Seal certificates. 1.2 Description Electronic Seal certificate is an authentication system for the automated administrative procedures and is described in LAECSP article 18th. It is a technical instrument that allows the electronic authentication of the public administration as well as the Electronic documents produced by them. The Electronic Seal certificates issued by the CSPM are qualified certificates as defined in the LFE and they meet the requirements for medium level assurance as defined in [EIFEBIII]. Following this scheme, medium level assurance implies X.509 certificates. The Electronic Seal certificates are X.509 qualified certificates stored in software containers, located in secure application servers. 1.3 Document name and identification Identification of this document This document name is Certification Service Provider of the Ministry of Employment and Social Security. Profile for Electronic Seal certificate, with the following information: - Document version Document status Published - Emission date June 30th Expiration date NA Internet address of this document is listed in Annex B Identification of certificate types Each certificate type has a dedicated OID, included in the PolicyIdentifier field of the certificate. Each OID is univocal and is not used to identify different types, policies or versions od issued certificates. OID for Electronic Seal certificate is: Electronic Seal Certificate: [ ] 1

5 1.4 End users End users are the persons or entities that own and use the electronic certificates issued by the CSPM certification authorities. There are different end user types: a. Certificate requester. b. Certificate subscriber. c. Certificate responsible. d. Certificate verifier. Certificate requesters are the public employees of the Administration department. Certificate subscribers of the Electronic Seal are the Public Administrations identified as such in the Subject Field. In the Common Name attribute is the name of the device, application or Server (name of the system) to which the certificate is associated. Those responsible for the custody of the certificate are the authorized public employees. Verifiers are the entities (including natural and legal persons, Public Administrations and other organizations) who, using an Electronic Seal certificate, issued by CPSM, verify the identity and authenticity of the automated administrative procedure, trusting on the validity of the relationship between an electronic system or device belonging to the administrative entity subscriber of the certificate and the public key of the certificate. 1.5 Certificate Usage Electronic Seal certificates issued under the CPSM shall be used only in the defined transactions inside the permitted systems and applications. Issuance of the Electronic Seal certificates under the CPSM obliges the subscriber to the acceptance and use thereof in the terms expressed in the CPSM. It is emphasized that falls outside the scope of the CPSM to ensure the technological feasibility of applications that make use of any of the certificate profiles defined by the CPSM. It is not allowed in any way the use of Electronic Seal certificates outside the scope described in the CPSM what could cause immediate revocation of the certificates by the misuse of the same. Electronic Seal certificate issued by the CSPM, corresponding to the one defined in the LAECSP, has its usage limited by the law dispositions. 1.6 Definitions and acronyims Definitions Within this document the following definitions are used: C Country: Distinguished Name attribute for an object within a X.500 directory structure. CN Common name: Distinguished Name attribute for an object within a X.500 directory structure. DN Univocal identification for an item within a X.500 directory. O Organization: Distinguished Name attribute for an object within X.500 directory structure.. OCSP On line Certificate Status Protocol: This protocol allows checking the 2

6 OU PIN PKCS RFC revocation status of an electronic certificate. Organizational Unit: Distinguished Name attribute for an object within a X.500 directory structure. Personal Identification Number: Password that protects access to a cryptographic card. Public Key Cryptography Standards is a set of standards defined by RSA Laboratories and internationally accepted. Request For Comments, standard documents emitted by IETF(Internet Engineering Task Force) Acronyms PPAA C CA CDP CEC CN CP CPS CPSM CRL CSP CSPM CSR CWA DN LAECSP LFE O OU OID OCSP RA RFC VA PPAA C CA CDP CEC CN CP CPS Public Administrations. Country. Certification Authority. CRL Distribution Point. Certificate Emision Code. Common Name. Certificate Policy. Certification Practice Statement Certification Practice Statement of the Ministry Certificate Revocation List. Cryptographic Service Provider. Cryptographic Service Provider of the Ministry. Certificate Signing Request. CEN Workshop Agreement. Distinguished Name. Law 11/2007 of June 22nd, on electronic access of citizens to Public Services (Ley 11/2007, de 22 de junio, de acceso electrónico de los ciudadanos a los Servicios Públicos). Law 59/2003 of December 19th on Electronic Signature (Ley 59/2003 de 19 de diciembre de Firma Electrónica). Organization. Organizational Unit. Object IDentifier. On-line Certificate Status Protocol. Registration Authority. Request For Comments. Validation Authority. Public Administrations. Country. Certification Authority. CRL Distribution Point. Certificate Emision Code. Common Name. Certificate Policy. Certification Practice Statement 3

7 2 Identification 2.1 Management of names Types of names Every certificate contains the DN, defined following the rules of the recommendation [ITU-T X.501], of the person and/or organization identified in the certificate, contained in the Subject field, including a Common Name attribute. All the issued certificates also meet the standard [IETF RFC 3280] Normalization and Administrative Identity The CSPM uses the normalized naming schema Administrative Identity proposed by the Spanish administration for every type of certificate and profile. The Administrative Identity object has the ISO/IANA number X.X, provided by the Spanish administration as a base to identify it, thus establishing a worldwide univocal identifier. The Administrative Identity number for the Electronic Seal certificate is: Electronic Seal for automated administrative procedures (Medium level of assurance) Certificate ELECTRONIC SEAL FOR AUTOMATED ADMINISTRATIVE PROCEDURES Mandatory Administrative Identity fields Type of certificate Name of the subscriber entity NIF of the subscriber entity System or component denomination Certificate ELECTRONIC SEAL FOR AUTOMATED ADMINISTRATIVE PROCEDURES Optional Administrative Identity fields DNI/NIE of the responsible Given name First surname Second surname address 4

8 3 Operational requirements 3.1 Application for certificates Only the public employees working for an administration body are allowed to start the application procedure for an electronic seal certificate for that body. The Certification Authority shall verify that he is indeed a public employee of the applicant organization. It is permitted the application without physical presence, based on administrative databases or applicable certificate. The only method currently allowed to request electronic seal certificates is via of an authorized public employee, sent from an internal account of the organism with the completed application form. Special attention will be paid to make sure the application form contains all the data corresponding to the certificate responsible person. Thus, methods based on indirect physical presence are used, since the physical identity validation has occurred previously and ministry records are constantly kept updated. The responsible of the certificates are the authorized public employees of the organization. The person responsible the Certification Entity shall approve or deny applications for certificates of electronic seal. If the request is refused, the Certification Entity shall notify the applicant thereof denial. The procedures established in this section also apply in case of renewal of certificates, as it involves the issuance of new certificates. 3.2 Issuance of certificates Upon approval of the application of the electronic seal certificate, the issuance of the same will be made safely. Delivery and acceptance of the certificate by the subscriber of the same is guaranteed by safe delivery to the responsible person. The CSPM uses a procedure to generate the certificates that securely links the certificates with the organization information, including the certified public. It also indicates the date and time in which they were issued and measures are taken against forgery of certificates and to ensure the secrecy of the keys during its generation process. The procedures established in this section also apply in case of renewal of certificates, as it involves the issuance of new certificates. 3.3 Certificate renewal The renewal of Electronic Seal Certificates means the issuance of new certificates, being necessary to carry out a new application and subsequent issuance as described in previous sections. Like with the application for the first time, procedures could be established in the future for the certificate renewal using valid certificates, and, if so, the applicant must authenticate remotely by certificate authentication in hardware support(cryptographic card), allowing no alternative to this practice. 5

9 3.4 Certificate revocation The CSPM authenticates requests and reports relating to revocation of Electronic Seal Certificates, checking that they come from an authorized person. Revocation requests must be sent to SGTIC (Subdirección General de Tecnologías de la Información y las Comunicaciones). Persons authorized to request revocation of this kind are the responsible persons of the same and the public employees within the organization with a rank level equal o higher to 30. Revocation mechanisms are allowed through internal accounts properly validated or by a writing form signed by the applicant for revocation. 6

10 4 Profile for Electronic Seal certificate The fields are the following: Field Description Contents 1. X.509v1 Field 1.1. Version 1.2. Serial Number 1.3. Issuer Distinguished Name Country (C) Organization (O) Locality (L) Organizational Unit (OU) Organizational Unit (OU) Common Name (CN) Serial Number 1.4. Validity Not Before Not After 1.5. Subject Country (C) Organization (O) Organizational Unit (OU) Serial Number Common Name X.509 Standard version for the certificate Certificate univocal identification number Country Official name of the cryptographic service provider (certificate issuer) Cryptographic service provider locality Organizational unit within the service provider, responsible for issuing the certificate Organizational unit within the service provider, responsible for issuing the certificate Common name of the cryptographic service provider (certificate issuer) NIF of the Ministry of Employment and Social Security Validity period: 3 years Start of validity period End of validity period País Official name of the subscriber entity Certificate type description NIF of the subscriber entity Name of the system or application where the 2 (= v3) 7c b6 c9 (sample) C = ES O = DE TRABAJO E INMIGRACION L = MADRID OU = SUBDIRECCION GENERAL DE PROCESO DE DATOS OU = PRESTADOR DE SERVICIOS DE CERTIFICACION MTIN CN = AC1 RAIZ MTIN S E UTCTime YYMMDDHHMMSSZ UTCTime YYMMDDHHMMSSZ C = ES O = Y SEGURIDAD SOCIAL (sample) OU = SELLO ELECTRONICO SerialNumber = S E (sample) CN = REGISTRO CENTRAL DEL MEYSS (sample) 7

11 Field Description Contents (CN) 1.6. Subject Public Key Info 1.7. Signature Algorithm And the extensions are the following: 2. X.509v3 Extensions automated procedure is Public key, codified following the cryptographic algorithm Signature algorithm SHA-1 RSA Signature, 1024 bit key length Field Description Contents 2.1. Authority Key Identifier Key Identifier AuthorityCertIssuer AuthorityCertSerial Number 2.2. Subject Key Identifier 2.3. crldistributionpoint distributionpoint distributionpoint 2.4. Authority Info Access Access Method Access Location 2.5. Issuer Alternative Name rfc822name Identification of the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys Issuer public key identifier Issuer certification path Serial number of the CA certificate Subject public key identifier (derived from the subject public key using SHA1 hash) Indicates how to obtain the CRL information Website where CRL is found (distribution point 1) Website where CRL is found (distribution point 2) C=ES, L=MADRID, O= DE TRABAJO E INMIGRACION, OU=SUBDIRECCION GENERAL DE TECNOLOGIAS DE LA INFORMACION Y LAS COMUNICACIONES. OU=PRESTADOR DE SERVICIOS DE CERTIFICACION, SERIALNUMBER=S E, CN=AC1 RAIZ MTIN URL CRL distribution point 1(see annex B) URL CRL distribution point 2(see annex B) Id-ad-ocsp OID OCSP Web address OCSP URL (see annex B) Alternative name for the contact person at the Issuer CA contact address at the issuer CA admin_ca@meyss.es 8

12 2.6. Key Usage Field Description Contents Digital Signature Content Commitment Key Encipherment Data Encipherment Key Agreement Key Certificate Signature CRL Signature 2.7. Extended Key Usage Protection Client Authentication Critical extension to determine certificate usage Used when the subject public key is used for verifying digital signatures Used when the software must allow user to know what is signing Used for keys management and transport Used to encipher data other tan cryptographic keys Used in key agreement protocol Used to sign certificates. It is used in the CA certificates Used to sign certificate revocation lists Selected 1 Selected 1 Selected 1 Selected 1 Not selected 0 Not selected 0 Not selected 0 protection OID Client authenticatioon OID Qualified Certificate Statements OcCompliance OcEuRetentionPeri od 2.9. Certificate Policies Policy Identifier Policy Qualifier ID DPC Pointer User Notice Subject Alternate Names rfc822name Qualified certificate statement OID Retention period for information (15 years) OID OID associated to the CPS OID CPS specification URL for the CPS CPSM URL location (see annex B) explicittext field Contact address at the subscriber entity " Qualified Electronic Seal certificate for Administration, Agency or Public entity, medium level of assurance. See the terms of use at < CPSM URL location (see annex B)> registro@meyss.es (sample) 9

13 Field Description Contents Directory Name Certificate Type Name NIF of the subscriber entity DNI/NIE of the responsible Denomination of the system or component Given name First surname Second surname Administrative Identity Certificate Type Name of the subscriber entity NIF of the subscriber entity DNI/NIE of the person responsible for the certificate Short description of the component that uses the Electronic Seal certificate Given name of the person responsible for the certificate First surname of the person responsible for the certificate Second surname of the person responsible for the certificate address of the person responsible for the certificate = SELLO ELECTRONICO = DE EMPLEO (sample) = S = (not used) = REGISTRO CENTRAL DEL Y SEGURIDAD SOCIAL (sample) = (not used) = (not used) = (not used) = (not used) 10

14 Annex A: References EIFEBIII Esquema de identificación y firma electrónica de las Administraciones Públicas. Bloque III (Public Administrations scheme for identification and electronic signature. Part III) ITU-T X.501 ITU-T Recommendation X.501 TC2 (08/1997) ISO/IEC :1998. IETF RFC 3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. 11

15 Annex B: Links (URL) CPSM and certificate profile location: OCSP Location: CRL publication address: - Distribution point 1: - Distribution point 2: 12